Does the server get a separate wg interface for every client that connects? Or does it do something like multipoint GRE interfaces with next hop addresses in the arp table?
Does this do a DH key agreement to guarantee forward secrecy or does it literally encrypt the packet with the peers public key?
Also is it in the scope of this project for peers to discover each other for direct communication, like a Phase3 DMVPN?
> Does the server get a separate wg interface for every client that connects?
No. Each wg interface has a public/private key. It then has a list of peers' public keys and associated allowed IPs. By tying each public key to the allowed IPs of that public key, you can be sure that if a packet comes from wg0 and comes from a particular src IP, it comes from who you want. So no need for a new wg0 for each peer.
> Does this do a DH key agreement to guarantee forward secrecy or does it literally encrypt the packet with the peers public key?
It uses a 1-RTT ECDH key agreement based on the Noise Protocol Framework, with identity hiding, perfect forward secrecy, and so forth. So, it does what you hoped it does. :)
> Phase3 DMVPN
I'm not familiar with this, but I'll read up on it. Just found a large cisco document describing it. I suspect that "automatic discovery" wouldn't be very much to my taste, but I'll read up on it before dismissing it wholesale.
The idea of Phase3 is that you have multiple node routers connected to a VPN hub. Think branch offices. When one node starts to talk to another node, the Hub initially facilitates the traffic, but it sends a NHRP(Next Hop Resolution Protocol) packet to the nodes telling them the public IPs of eachother, the nodes then negotiate their own VPN tunnel and start communicating directly without passing all traffic through the hub.
If I understand wireguard correctly it seems NHRP could be run using wiregard for transport, but it would cool if a separate NHRP daemon wasn't required, especially since wiregard is already tracking the mapping of internal to public IPs.
DMVPN capability would be outstanding and would make WireGuard much more useful in a AWS VPN situation. This video from the 2015 AWS re:Invent [0] conference has an overview of DMVPN and how it could be used in a AWS VPC.
>> Does the server get a separate wg interface for every client that connects?
> No. Each wg interface has a public/private key. It then has a list of peers' public keys and associated allowed IPs. By tying each public key to the allowed IPs of that public key, you can be sure that if a packet comes from wg0 and comes from a particular src IP, it comes from who you want. So no need for a new wg0 for each peer.
Does this mean that it is impossible for two clients to connect to the same VPN server from behind router doing NAT? Or does each client choose a random source port for their traffic and then the combination of source port and source IP identifies the client?
Oh cool you came to the kernel recipes talk. Much has progressed since then.
I wrote an email on LKML and netdev today to David Miller, the network subsystem maintainer. It's not ready for a [PATCH] set now, but it is ready to get initial feedback from them, so that I can start to get things ready for upstreaming. So: that's on the roadmap and a primary objective!
Would you mind dual-licensing under a more permissive license (BSD or MIT) so the work can be included in the BSD family of operating systems as well as Linux?
I answered this question elsewhere. The answer is that - probably, why not? I need to think about it for more than a few seconds. But the only reason I chose GPLv2 is because that's what Linux uses. I'll quit being lazy and think more carefully about licenses, and hopefully we'll wind up with something good for the BSDs.
I am not a lawyer but in my eyes having a BSD/MIT license will also save you from a corporation "adopting" your technology and sue you afterwards for infringing a super vague patent of theirs... or something along the lines.
If your work is in the public domain, then at least the corporations would have much harder time hijacking and wall-garden it, and the chances of them simply giving up are higher. Or so I hope.
I've read a good chunk of your website. GREAT WORK! Do not give up, you're doing next-level work. =)
The corporations haven't really left us with good impressions in the last 15 years though, did they?
If I learned anything from those last 15 years is that they'll sue you if you don't agree the Moon is made of cheese if it suits their agenda.
So I remain cynical towards them. If they can hijack a good technology for their own profit, they will do it. I think we all knew that much at this point?
As I pointed out, I am not a lawyer. I have however read news vaguely similar to what I described, many times through the years. It really makes me fearful that in the end you're vulnerable just for publishing your work...
I do hope I am very naively wrong. But history hasn't given us much comfort in this area so far.
Thanks for considering it! For what it's worth, there is dual BSD/GPL precedent in various places in Linux (e.g., most of the drm GPU drivers, NTB, etc).
Can I bind it to external ip addresses and give a certain user an outgoing (or even private ips that I can then forward) address I chose? Don't know if my question makes sense but I'm interested in routing a certain user to a certain ip every time he/she connects.
WireGuard as a simple associations between public keys and each public keys list of allowed IPs. Within this structure, it seems like you should be able to do what you want.
Hey! Knew I recognized that username. You also make pass which I've been using since you released that too. Definitely going to give this a run. Thanks for more useful tools!
Don't have time for a detailed review. However, I like that you're working to replace IPsec with something simpler, easier to use, and with flexible deployment. Crypto algorithms look better than most VPN's I see as well. Good work on all that. Just remember to aid others' verification efforts later on by keeping it modular, minimal shared state, simple constructions in code, and so on. Whatever passes through a decent static analysis tool.
Also, one of easiest, formal methods is Design by Contract which can be emulated with asserts for pre- and post-conditions plus main invariants. Quite useful to encode operating assumptions in there. Such can also be used for automating test-case generation, fuzzing, dynamic analysis, and covert channel analysis. Oh yeah, definitely do a covert channel analysis on anything that gets near the keys to plug any leaks.
> Just remember to aid others' verification efforts later on by keeping it modular, minimal shared state, simple constructions in code, and so on. Whatever passes through a decent static analysis tool.
Yes this absolutely is the goal. I'm trying to keep the codebase as small and clear as possible.
> Design by Contract
Working out the precise pre and post conditions of every state would indeed be worthwhile. For all state transitions of the protocol, I've worked out by hand every possible combination and accounted it for it. I should publicize this work (i.e. type up my handwritten notes), and then let others join building on top of it.
"Working out the precise pre and post conditions of every state would indeed be worthwhile. For all state transitions of the protocol, I've worked out by hand every possible combination and accounted it for it. I should publicize this work (i.e. type up my handwritten notes), and then let others join building on top of it."
That's actually... great. It's exactly what high-assurance security did in kernels and VPN's. I'm impressed. You should definitely write that up and share it for peer review. Also, since you've done it, the next step is to review each one to make sure security properties are maintained or it fails fast, safe, and loud. :)
This looks interesting and I will be sure to check it out when I get the chance. I see from the examples on the site that it's IPv4 everywhre. Is there IPv6 support ? If not, is it on the roadmap ?
IPv6 definitely is supported. I should add some examples. Every place you see an IPv4 address an IPv6 one can go. They can even be mixed and matched. There's full support and it works quite well.
Open source projects that are not GPL'd cannot adopt the code; it's meant to be linked into the kernel, and so distribution will trigger the viral licensing clause covering the entirety of the kernel.
For example, there are a myriad of products based on BSD; everything from pfSense at the low-end, the Juniper routers at the high-end.
If the goal is to make money by licensing the code for non-GPLv2 use, then the GPL might make sense, if you're unconcerned about limiting market adoption by precluding integration by non-GPL products.
I suspect it has to be in kernel for efficiency reasons. Because applications access network devices through kernel interfaces; the kernel has to context switch and copy data to and from the userspace VPN process; This can be quite slow.
On a microkernel system, the standard way of connecting to the network stack might be through direct shared memory; and on such a system you could manage to run the VPN in userspace at essentially no cost.
However, on Linux, most of the network stack is in the kernel; the ABI for interacting with network hardware is stable. So while in theory you could write an efficient userspace VPN, it would require you to modify or at very least recompile your applications.
Why is this in the kernel? It seems to me like a failed separation of concerns compared to running this in userspace. There shouldnt be anything magical requiring this level of coupling.
Because it's necessary for any reasonable performance. If you're concerned about this, you might have several heart attacks when you look at the obscene amount of code that IPsec has in the kernel. IPsec is the only other alternative for high speed VPNs, and it's frighteningly complex, both in deployment and in codebase.
WireGuard, on the contrary, is around 4000 lines of core code. This is super short, and allows for a single individual to audit it. By focusing on simplicity and ease-of-auditability, I hope to achieve something that can be considered secure.
Compare this to the massive codebase of OpenVPN/OpenSSL and the various other userspace (read: slow as mollasses) VPNs. WireGuard is considerably shorter and simpler than those too.
Also, keep in mind that on Linux, jumping from userspace to ring0 execution isn't exactly difficult. So in practice I'm not sure it matters.
I make a living by exploiting kernels. This makes me very aware of the questions associated with running this in the kernel. I've tried to write WireGuard using my experience breaking similar codebases; WireGuard is short enough that it should receive the thorough attention that this sort of software deserves. By focusing on simplicity, I think we can in time achieve something quite trustworthy.
Finally, there will be a (necessarily lower speed) cross platform implementation released that's written in Rust. At the end of the day I suspect that all parties will find themselves pleased.
I love DPDK. Super fun. I've actually made a few projects with it. But this is for creating closed network systems, not for integrating into Linux's networking infrastructure. If somebody would like to produce a WireGuard implementation (library, I guess) for DPDK, I'd be super happy about this, and I'm sure it'd find some specialized users. But for everything else, there's the ordinary design.
It is absolutely possible to create DPDK applications that send/receive data into the Linux network stack using KNI [1]. I'm not sure if I'm qualified to say whether DPDK is “for” something, but the means to achieve this exist.
Both userspace stacks bypass several standard kernel interfaces to achieve good performance. If you want to integrate with normal kernel configuration (interface, routing, etc) and BSD sockets, then maybe you do need to be in the kernel. (Maybe it's possible to improve user<->kernel interfaces to reach good performance in userspace with standard kernel configuration, but we aren't there yet.)
However it's basically true. You need to be running specific hardware and/or drivers to make use of kernel bypass. You most definitely will never be able to use DPDK on the average laptop.
For a VPN that intends end-user device deployment it's kind of silly to require specific hardware.
Why necessarily lower speed? Are you hinting at bounds checking? I would think that a rust implementation might have slightly more pressure on the CPU but would not effectively be slower. Am I wrong?
Right, I heard about the Rust kernel module[1], but perhaps its environment isn't friendly enough yet to attempt to port a project like this to?
edit: Just read a little bit of its source, apparently you have to disable std, and he replaces it with his own linux_std that at this point has only printf implemented. So yeah it'd be a pretty intense project if one would attempt it :)
What are the odds of getting Linus to approve of Rust? It would be the greatest thing ever. Imagine the impact on the C++ community.. You might say I'm a dreamer, but I'm not the only one ;)
Since we appear to be bolted to the top of the thread, I'll repeat a point I buried deeper in the thread:
Maybe some readers of this thread are in the habit of casually bringing up random VPN connections between individual Linux machines. But in my experience, people tend to invest in VPN configurations so they can connect developers and ops to deployment environments and company networks. That's like, the big use case for serious VPNs.
In a serious VPN deployment, if you lose code execution on the VPN server, whether the attacker took the kernel or just a userland process is somewhat far down the list of concerns you have to deal with. A better first concern is "how many machines inside the VPN did the attacker just get code execution on because they can now make direct TCP connections to all our internal services".
From that vantage point, I'm a little less concerned about whether my VPN server is at CPL0, and a lot more concerned with things like "how complex is this code and how straightforward is it to audit".
I'm guessing the parent wasn't really considering the kernel/userland distinction in terms of security (for, after all, a daemon running as root in userland isn't all that different from running in the kernel in terms of attack surface; the real security boundary lies between privileged/unprivileged in userland, not between kernel and userland.)
Rather, I expect what the parent wanted to assert was that a novel malformed packet to a badly written VPN shouldn't bring down the entire VPN gateway machine, but rather just the VPN daemon itself, which can then be brought back up by init(8).
Or, to put it another way—even though the Linux kernel is monolithic, it can still pay to treat it as a microkernel and isolate fault-prone code outside of it.
This was one of the original big benefits of running e.g. the NTFS-3G in FUSE, when that support was experimental: the NTFS-3G driver did crash—often!—and your OS stayed up. The—usually external—drive would just get unmounted, and have to be fsck(8)ed.
Now, the argument you used also kind of answers this: in full deployments, we've got dedicated VPN gateways on either side of the connection, so if the VPN process crashes, the whole machine may as well have crashed, since it's not doing much of anything else anyway.
That's probably true for most networks, but I could think of one exception: a VPN gateway serving multiple customer sites. You'd really rather that one VPN "receiver" process crash on that host (like one webserver instance serving one request) than that the whole machine crash.
And getting from userspace -> kernel doesn't pose much of a challenge for attackers. Especially on stock Ubuntu machines that are so popular. You could probably even find priv esc exploits on github/blogs for a good chunk of VPS servers. I did that when I forgot a root password on a yr old machine recently.
Interesting! Would you please like to post some links to actual privilege escalation code for a stock Ubuntu 16.04 - thank you very much for your attention!
Who said anything about VPN server? The client is running the same code; what if it's popped?
> But in my experience, people tend to invest in VPN configurations so they can connect developers and ops to deployment environments and company networks. That's like, the big use case for serious VPNs.
You're missing the other big use case: VPNs used to get one's internet access through a different network, in order to evade the Great Firewall, limit NSA surveillance, increase security on public Wi-Fi networks, or just watch Netflix in the 'wrong' country. These are often commercial (not that commercial VPNs are going to use WireGuard as long as it's Linux only, but hopefully it'll be ported to other OSes before long). In this case there are two ways the client could be attacked: the network itself could be modifying packets or doing a MitM attack, or the server could be hostile (either after being hacked itself [maybe with the same exploit] or, mostly applicable to government attacks, because it was set up as a honeypot).
With a network attack, the VPN code is one of the only bits of attack surface available to the attacker, especially if they don't know your IP on the other end. A hostile VPN server you route all internet access through, in comparison, already has quite a lot of power over you (hopefully you access all important services over TLS), and at the very least makes it easy to deliver (easier-to-find) browser exploits - but in theory the VPN implementation provides some additional attack surface which bypasses all sandboxes. Also, paranoid users may have a setup where their browsing is done inside a VM, whose connection is routed through a VPN on the host end. This helps ensure that they're not accidentally passing traffic through the wrong interface or leaking their real IP, and provides some protection against attackers who get code execution with the goal of finding said IP (see FBI Tor malware). In such a setup, any networking code running outside the VM is an interesting target.
Linux isn't all that secure against unsandboxed user processes, but VPN code has a simple enough interface that it could in theory be sandboxed effectively using seccomp-bpf.
The Great Firewall tries to block VPNs anyway, so a Chinese attack isn't all that realistic as things stand, but who knows, it might be nice if WireGuard grew some kind of obfuscation support. And that leaves the NSA and others.
Anyway, I don't actually think there's a problem with WireGuard living in the kernel! - because I don't think it presents much attack surface. It's a very small codebase, and performance is important for these applications. Actually, I wholeheartedly approve of WireGuard: it seems like a really nice design, and I've experienced the pain of just getting other VPN implementations to work, never mind securely. But if there is a vulnerability in WireGuard, then for the reasons I've stated, I think its placement in the kernel matters.
You seem to talk about a completely different use of VPN. The "VPN server you route all internet access through" is a glorified encrypting web proxy. There's no "server" in WireGuard as far as I can tell - it's only peers which expose whole networks behind them. Both use cases call for very different solutions: The corporate-style VPN protects your networks and remote endpoints from someone random connecting to them. The glorified web-proxy style VPN needs to mainly encrypt all the outgoing traffic.
I doubt WG is a real candidate for the case you're talking about.
It's very common to use existing VPN protocols for proxying - Google "VPN" and you'll find many commercial services. And the WireGuard white paper mentions passing all traffic to a single peer as a possible configuration, so I think it should be usable for it as well, modulo OS compatibility. Which is good, because existing VPN software suffers from the same configuration and security headaches whether it's used for proxying or corporate networks, and non-VPN proxies are an inadequate solution.
Web proxies are suboptimal because they only work with web traffic, or even if you use HTTP CONNECT, only TCP. SOCKS is mildly better at a protocol level, with SOCKS5 supporting both TCP and UDP, but still suboptimal if the server end is able to give each client its own IP address (not so common with IPv4 but easy with IPv6), due to the existence of protocols other than TCP and UDP. More importantly in practice, SOCKS clients are typically implemented in userland rather than the kernel, so each individual application needs to be configured to use the tunnel. There is software that lets you use any program with SOCKS by hooking socket API calls, but that's essentially a hack, and has many practical issues. Much nicer to just have the tunnel as a network interface like any other, and let the kernel's network stack work as it was designed - which is usually done with VPN software. VPN also lets one host transparently handle proxying for another, e.g. a router for a home network, or the host in the VM setup I mentioned in my original post.
I think you missed my point. Sure, every VPN solution can be turned into "proxy all internet traffic through there" with enough configuration. What I meant is that tptacek was talking about commercial/serious VPN as in corporate usage, not commercial as in "it takes money from anyone".
You're talking about two completely different use cases with very different goals and potential issues.
You said that WireGuard was not "a real candidate for the case you're talking about", and I explained why it being (eventually) widely adopted for that case is both possible and desirable. I don't see much point in arguing over what tptacek meant.
I was not concerned about it from a security perspective at all. What I'm concerned about is poor software engineering. The fact that something like a particular flavor of VPN needs to be integrated directly into the kernel smells to me like a shortcut to skip improving the kernel to enable better userland networking code. Why this VPN proto and not the next hot item of the month? How about we start throwing some load balancing code directly into the kernel? How about some TLS termination?
Tinc [1] is a userspace VPN, and a good demonstration of how slow networking gets when done that way, compared to kernel-mode VPN routing such as IPsec and VxLAN.
Because of the kernel/userspace model of Linux and missing efficient microkernel structure which would lend itself more fittingly to an efficient network tunnel. We're using monolithic kernels because they've attracted the most driver support over the years, but with things like seL4 out in the open, this is bound to change because there's no argument that there's no modern microkernel available to build hardware drivers on. On top of stability, you also get a viable capability system in seL4.
Note: This project, despite having the text of the GPL 2 in a file named “COPYING”, is not actually licenced under GPL 2. The actual copyright statement found in source files is “Copyright 2015-2016 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.”. It does not reference the GPL. This means, legally, that nobody can do anything with it.
If the author actually meant to licence it under the GPL 2, he should read and follow the instructions in the GPL itself, more specifically the section at the end titled “How to Apply These Terms to Your New Programs”.
That may technically be true, but if the author was to sue anyone based on that argument, this project itself would be in violation of copyright law, since all the code seems to be distributed only as a Linux kernel module (with all files #including kernel headers and such) and so it actually has to be distributed under the GPLv2.
This is true, but I imagine that no company will actually use or distribute this project in any way, since it is actually illegal (however technically) for them to do so until this issue is resolved.
I don't really have any problem re-licensing it less restrictively, I don't think. I'll have to think about it for more than 10 seconds I suppose. But I put "GPLv2" there without much thought simply because that's what Linux uses. But you make a good point about the BSDs.
Remember interoperability in mixed-OS environments. You won't get uptake or contributions from Microsoft, etc. if they have to re-license their kernel in GPL v2. Getting all links encrypted by default might be a worthy enough goal for a BSD license that proprietary will mooch off of. We all benefit in such situations. Especially given how often they muck up VPN's when they code them on their own. ;)
> How do you deal with MTU? OpenVPN's handing is particularly bad [1]?
MTU is dealt with the same way as other kernel space tunneling devices.
> Is the whole protocol in-kernel or just the data plane?
All of it, which is why there's so much emphasis on simplicity.
> For admins who want to provision large number of clients, do you ever plan to implement some kind of certificate hierarchy?
Rather, the goal is to make the kernel interface very simple and minimal, so that admins can then glue ontop whatever situation they want. This could be certificates, or pigeons, but the important thing is that it's a layer ontop (in userspace), and not intimately bound to the core.
Are there currently methods where unknown public keys are passed to a userspace application to be verified? Or is this something that will be implemented in the future?
As mentioned in the roadmap and the cross-platform page, we're working on a cross-platform userspace client, so Mac and Windows users can use it too. It's in the works!
This comment was marked 'dead', but I think it was a useful question (though maybe a little aggressive in its wording):
> So what's the point ? Linux is a niche market. Mac & Windows will be the vast majority of your users and won't enjoy your killer kernel-based feature...
Even when Windows/Mac are the vast majority of clients, each client only needs to process its own traffic. The VPN gateway is more likely the bottleneck, since it needs to process everyone's traffic. There are many organizations that would have no problem running Linux on the VPN gateway and could reap the benefits.
Also, the Linux in-kernel implementation is just the first(?) thing being released. WireGuard is a VPN protocol and its killer feature is good security that's simple enough to implement in 4000 lines of code. This simplicity makes it easier for someone to write a Windows/Mac kernel driver.
It's not possible to do highspeed crypto from userspace while still integrating with the usual networking stack. Tun devices result in copies and context switches which makes things quite slow.
This also adds quite a bit of simplicity.
But sure, I agree, it's scary. But not nearly as scary as the obscenely huge xfrm/ipsec layer in the kernel. Or the dozens of other kernel tunneling deivces available. And I dare even say it's not as scary as most userspace VPN solutions like OpenVPN which are massive code bases. WireGuard, in contrast, aims to be quite minimal in its codebase, so that it can be audited by an individual.
I didn't make the title of this HN post, unfortunately. But do note: there _will_ be userspace implementations of WireGuard. It's most certainly not tied to the kernel. It's just that the OP saw me present at a kernel conf about it. :P
So, everyone needs to take a deep breath here. In kernel VPN is giving me a bit of a security heart attack. As a security professional I would recommend not running this on anything but a sandbox that isn't connected to your environment. A single misstep in the code, a bad implementation of a crypto library or a bad hook could easily lead to ring 0 compromise.
Not trying to discount the author's work, and I haven't reviewed any of the documentation, but until this gets evaluated by a CC lab (or like independent group) I would not implement in anything you care about.
As a "security professional", I kind of don't care whether this is in-kernel or not.
First, this is Linux, and if someone manages to get code execution in your unprivileged userland program, the odds of you keeping them out of your kernel are already pretty low.
Second, and more importantly, this is VPN software. If your VPN gets popped, you probably have bigger problems than whether the attacker got the kernel on the VPN server, as opposed to just being able to create arbitrary network connections from the "inside" of the VPN.
If you don't want to run it, don't run it. If you're going to ask me whether I'd trust OpenVPN more than WireGuard, no, I do not.
What do you want me to say? I'd think it ought to be self-evident that greater risks exist when operating in a single shared memory space at ring 0. If nothing else, the trampoline to privilege is already complete; very little stands between a vulnerability and an active exploit.
The end goal ought to be getting more things out-of-ring 0, not adding more things to it -- I'm never going to say that "I'm not concerned" or that "It's a non-issue" (although I will say that I'm a lot more worried about the massive amounts of crap code in WiFi drivers than I am about a VPN implementation, generally speaking).
In the OpenVPN case, numerous vulnerabilities have been limited to only DoS exploits due to the zealous use of assert(); in the kernel case, that brings down your machine, and quite often, assertions are compiled out of the release kernel due to their overhead in critical paths (whether they should be is another question).
netmap is a framework for extremely fast and efficient packet I/O for
both userspace and kernel clients. It runs on FreeBSD and Linux, and
includes VALE, a very fast and modular in-kernel software switch/data-
plane, and netmap pipes, a shared memory packet transport channel. All
these are accessed interchangeably with the same API.
netmap, VALE and netmap pipes are at least one order of magnitude faster
than standard OS mechanisms (sockets, bpf, tun/tap interfaces, native
switches, pipes), reaching 14.88 million packets per second (Mpps) with
much less than one core on a 10 Gbit NIC, about 20 Mpps per core for VALE
ports, and over 100 Mpps for netmap pipes.
Userspace clients can dynamically switch NICs into netmap mode and send
and receive raw packets through memory mapped buffers. Similarly, VALE
switch instances and ports, and netmap pipes can be created dynamically,
providing high speed packet I/O between processes, virtual machines, NICs
and the host stack.
It's possible to shake off OpenVPN and TLS without shaking off use of tun/tap. I use a tun/tap based "VPN" (overlay) and I quite like it. One could even add NaCl to it if they were so inclined.
I sometimes think Apple removed /dev/tap from iOS because it provided too much potential freedom.
Not every user needs in-kernel performance for their daily routine but there's certainly an argument that every user could use a decent "VPN" that could run on all their computers.
Alas, OpenVPN mindshare is rather strong, to the detriment of existing or future userspace alternatives.
I'm curious, you don't agree that the complexity of an access vuln + privesc vuln is a better defender position than a single vuln to ring-0?
It kind of seems to fly in the face of the multiple layers of userland and kernel separation engineering we've seen go into other attack surfaces like browsers?
All things being equal I do think it's better to be in the former position than the latter.
But all things are not equal. Any code execution on the VPN server practically implies that the attacker controls the VPN, which is game-over for most VPNs I've ever worked with. So my priority would be "not having those kinds of vulnerabilities at all". I'd rather have simpler, easier-to-audit code than userland, if I have to choose one.
"If someone manages to get code execution in your
unprivileged userland program, the odds of you keeping
them out of your kernel are already pretty low."
Are you running the grsecurity patches? If not, everything they do that your kernel doesn't do is another reason your userland will inevitably cough your kernel up to an attacker at some point. Even with those patches, it's still an inevitability; it's just that interval is longer.
I don't run them! I do something easier: I assume that if I lose control of userland on a Linux machine, I've lost the whole box.
It is especially weird, though, to see security people engaging in this kind of risk reasoning. It seems to me that most of the times you lose code execution on your VPN server, the kernel security of the VPN server is pretty far down the list of problems you need to deal with.
For an alternative view, having the apps in user-mode with mandatory controls and such has isolated many real-world vulnerabilities. Even in the shoddy, inadequate implementation that is SELinux. Further, as attackers are battling constraints, they increase odds of generating logs that detect their presence via the unauthorized behaviors. There's also products and prototypes that constantly read memory to find anomolous patterns that depend on kernel or hypervisor layer integrity. The protections get even stronger if using microkernel, capability, pointer, or tainting protection.
So, despite severity of VPN-level compromise, there's advantages mainly in detection and damage limitations if it's a strongly-constrained process. Hell, I've done prototypes that used fixed memory with only networking privileges needed that logged their own behavior to immutable storage. You could compare the execution and logging to a profile. Outside that range, it was a crash or attack. Clive Robinson taught me that last part. Others were Orange and Red Book 101.
> In kernel VPN is giving me a bit of a security heart attack.
You may be surprised, then, that most of the standard VPN tech — IPsec, GRE+PPTP, VxLAN, etc. — operate in the kernel (with some help from userland apps for things like IKE).
I'm referring to Linux, where the implementations of those protocols are kernel modules. There are user-space implementations, of course, such as Rockhopper (IPsec). But they're not performant.
It's faster. Performance usually matters more than security for most "security" products. ;) Having extra code in kernel is usually just asking for it. Here's one done closer to high-assurance principles that I'm sure the WireGuard scheme could be ported to:
Far as keeping it in kernel, it might be implemented in SPARK and Rust to see if it gets through static and dynamic (if necessary) checkers. Test and fuzz it heavily. If C, use strong, static tools to show correctness and/or compiler transformations like SAFEcode (or Softbound+CETS) to immunize it. I know Criswell runs Linux kernel on SVA-OS with SAFEcode but not sure if S+CETS can do it. Such approaches will knock out most of the flaws that lead to code injection.
Maybe most likely, but not necessarily obvious. While there's no popular module for kernel written in something else than C (as far as I know), there are known ways to write working non-C modules.
C was best assumption as 99+% chance it would be C. Yet, you are right in that I've seen device drivers for Linux done in Ada and ATS languages. It's why I usually don't assume but one was warranter here.
Looks awesome! I can't wait to play with it when it hits 1.0.
In advance of that, I'm curious: What's the tl;dr: on how this compares to Tinc? In particular, I'm wondering what WireGuard's mobile story looks like, especially in comparison with Tinc's (which is pretty rudimentary as far as I can tell), and about the extent of effort that's likely to be involved in ongoing configuration management.
Endpoint IPs are learned based on successfully authenticated/decrypted packets. The Endpoint= entry in the config is just the location of an initial server endpoint. Inner tunnel IPs are fixed in the config, and it's up to things that build ontop of WireGuard to manage this however fits best.
Your concern (1) is valid, but fortunately that's an over-simplification in the casual introduction part of documentation, which I'll fix. Sorry about that. This should read more like, "Encrypt entire IP packet using the symmetric session associated with peer ABCDEFGH." Thanks for pointing this out. As for (2), WireGuard indeed does padding; see the protocol page or the paper for details.
Does the protocol implement any kind of negotiation (ciphers, ...) ? if not, how would you handle future type of attacks against the then hardwired constructions ?
I fully agreed that being in-kernel is the right choice for performance, but the chosen constructs excludes the possibility of using any type of existing crypto hardware accelerator that shines in the IPSEC use-case (cache cold data == no cache flush overhead, fully async processing of packets with DMA chaining). Time to start lobbying SOC vendors :)
The cipher suite is part of the Noise preamble, so all operations are crytographically bound to the cipher suite to prevent against related-algo attacks. WireGuard itself has no plans for cipher agility, something that is considered an anti-feature. If these ciphers are ever considered problematic, we'll change them and release a new version (with an incremented preamble), and the new set of ciphers will be similarly non-configurable.
Fortunately AVX2-accelerated (and soon AVX512-accelerated) ChaPoly is super fast in pretty much all hardware.
Performance comparison would be welcome, especially on low-end hardware. For example, I'm getting 12 Mbps with OpenVPN BF-CBC on AR9341, I wonder what could WireGuard achieve.
It would be useful to have option to connect to VPN server trough SOCKS/HTTP proxy like you can do with OpenVPN, and it is useful for traffic obfuscation and combining VPN with Tor/I2P. Another thing that I like is XOR patch for OpenVPN (https://github.com/clayface/openvpn_xorpatch), that can be very useful in hiding you are connecting to VPN.
Similar cryptographic building blocks. WireGuard has an emphasis on no-negotiation, which it inherits from Noise, which is Trevor Perrin's well-regarded crypto protocol construction kit. As an application, WireGuard is _way_ simpler than ZeroTier; it's something you would build the remaining 90% of ZeroTier on top of.
I was going to ask that myself but ZeroTier provided a hint. It seems to be aiming for more than a simple, IPsec replacement. It will have more features and complexity no matter what. Also, Jason already speced out the WireGuard protocol plus intends a Rust port. Will significantly increase code-level security over ZeroTier. Both need strong, peer review at protocol and implementation levels, though. As always with these things.
Yes, our goals are much broader than VPN. You can think of ZeroTier as a virtual smart switch built on a P2P network; a "smart switch for Earth." We want to totally abstract away the physical network. A lot of ZT's complexity over WireGuard is about working around the underlying network (NAT-t, dual-stack support, dealing with timeouts and path failures, relay fallback, peer location and roaming, redundancy, etc.) as well as smart switch features and robustness against DOS attacks and similar things.
Nevertheless ZT's core code really isn't that big. The core protocol implementation is 23,000 lines of C++ code. This includes many very long comments documenting the protocol, etc., so total lines of actual code is probably more like 18-20k. It's comparable to an embedded TCP stack.
WireGuard does have some things in common with ZeroTier, such as the use of cryptography to identify endpoints and eliminate the hard-coding of endpoint addresses. This is one of many ways that IMHO cryptography actually simplifies networking. I really like the WireGuard design in general and I think it has a somewhat different use case from ZeroTier, namely fast long-lived provisioned links across WANs and insecure LANs. You could use ZT for that but this being in-kernel makes it likely faster. In any case I hate IPSec (over-engineered mess, terribly hard to configure) so any alternative to that is welcome.
(Edit: there are things you can do to speed up user-mode networking like zero-copy data paths, etc., so it's not guaranteed that this would always be faster. But that's another topic.)
Please let me know if this has already been posted.
Is there any worry that someon might perform a DoS attack against a client by replaying a valid packet from the target from different hosts so that the other servers cannot correctly route to the real IP of the target? This is based solely off of the description on the homepage and it might not be possible due to implementation details I'm unaware of.
Replay attacks don't work because of the nonce, so that's handled successfully.
But an attacker with an active man in the middle position might change the outer (unencrypted) src IP of a packet. However, that src will need to be able to produce authentic replies; otherwise the session will quickly be deemed invalid, so that mitigates any potential very oddball amplification attacks you could dream up. And regardless, an attacker with this kind of active man in the middle can already drop packets at will, so this isn't a vulnerability.
I'm the author of this and would be happy to answer any questions you have.